AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 15011575

1746 questions total · 24pages · All types, answers revealed

Page 20

Page 21 of 24

Page 22
1501
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises MySQL database to Amazon RDS using AWS DMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the replication instance, then endpoints, then the migration task, start it, and finally cut over.

1502
MCQmedium

A financial services company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application is deployed across multiple Availability Zones. The company recently experienced a DDoS attack that overwhelmed the ALB and caused downtime. The security team wants to implement a solution that can absorb DDoS attacks at the edge and only forward legitimate traffic to the ALB. Additionally, the company needs to protect sensitive data in transit using TLS 1.3. What should the solutions architect do?

A.Deploy Amazon CloudFront in front of the ALB with AWS Shield Advanced and enforce TLS 1.3.
B.Use AWS WAF with rate-based rules and associate it with the ALB.
C.Use an AWS Network Firewall and configure stateful rules to block malicious IPs.
D.Enable AWS Shield Standard and use security groups to restrict traffic.
AnswerA

CloudFront with Shield Advanced provides edge DDoS protection and TLS termination.

Why this answer

Option C is correct. AWS Shield Advanced provides DDoS protection and can be combined with CloudFront or Global Accelerator. Using CloudFront with Shield Advanced provides edge protection and can enforce TLS 1.3.

Option A is incorrect because Shield Standard is free but provides limited protection; it may not be sufficient. Option B is incorrect because NACLs are not effective against DDoS attacks at the edge. Option D is incorrect because WAF is for web application filtering, not for absorbing DDoS traffic at the edge.

1503
MCQhard

A company is designing a new multi-region disaster recovery solution for a critical application running on AWS. The primary region is us-east-1. The application uses Amazon RDS for MySQL with Multi-AZ, and runs on EC2 instances behind an ALB. The RPO must be less than 5 minutes, and RTO less than 30 minutes. The company wants to minimize costs when the DR solution is not in use. Which solution should a Solutions Architect recommend?

A.Use RDS MySQL with cross-Region read replicas in us-west-2. Use a hot standby EC2 environment with a single instance. Use Route 53 failover routing.
B.Back up RDS MySQL to S3 using automated snapshots and copy them to us-west-2. Use EC2 instances with S3-mounted volumes to serve traffic from the backup.
C.Use RDS MySQL with Multi-AZ in us-east-1 and a second Multi-AZ deployment in us-west-2. Keep EC2 instances running in us-west-2 behind an ALB with cross-Region load balancing.
D.Set up an RDS MySQL cross-Region read replica in us-west-2. Keep a standby EC2 environment with Auto Scaling configured to scale from 0 to minimum instances using a CloudWatch alarm on health checks. Use Route 53 failover routing to switch DNS to us-west-2.
AnswerD

Cross-Region read replicas provide low RPO; scaling from 0 minimizes cost; Route 53 failover provides RTO.

Why this answer

Option A is correct because RDS cross-Region replication provides RPO of seconds, and using a standby EC2 environment with Auto Scaling configured for minimum zero instances (scaling based on DNS or health checks) minimizes cost. Option B is wrong because Multi-AZ does not provide cross-Region failover. Option C is wrong because read replicas are for read scaling, not DR failover, and cannot be promoted quickly.

Option D is wrong because S3 is not a database; this doesn't meet RPO/RTO.

1504
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate. The application must process messages from an Amazon SQS queue and store results in an Amazon DynamoDB table. The workload is unpredictable and can scale from 0 to thousands of messages per second. What is the MOST cost-effective and scalable architecture?

A.Run an Amazon ECS service with Fargate that polls the SQS queue and writes to DynamoDB. Configure auto scaling based on CPU utilization.
B.Use an Amazon ECS service with Fargate and a target tracking scaling policy based on SQS queue depth.
C.Use Amazon Kinesis Data Streams to ingest messages and an AWS Lambda function to process and write to DynamoDB.
D.Use an AWS Lambda function with an SQS trigger to process messages and write to DynamoDB.
AnswerD

Lambda scales to zero when idle and scales up to handle thousands of messages, making it cost-effective and scalable.

Why this answer

Option C is correct because using a Lambda function to poll the SQS queue and write to DynamoDB is serverless, scales automatically, and is cost-effective for unpredictable workloads. Option A is wrong because provisioning EC2 instances for ECS with Fargate still incurs costs even when idle. Option B is wrong because ECS with Fargate services require at least one running task, which may be idle.

Option D is wrong because Kinesis Data Streams is designed for real-time streaming, not for standard message queuing, and may be more expensive.

1505
MCQmedium

A company is migrating a monolithic application to Amazon ECS. The application currently stores session data in local memory. Which migration strategy should the company adopt to ensure scalability and fault tolerance?

A.Store session data in Amazon ElastiCache for Redis.
B.Use Amazon S3 to store session data.
C.Use sticky sessions (session affinity) on the Application Load Balancer.
D.Migrate session data to Amazon DynamoDB.
AnswerA

ElastiCache provides a highly available, in-memory cache that containers can access independently.

Why this answer

C is correct because storing session data in Amazon ElastiCache decouples state from the container, enabling horizontal scaling and resilience. A is wrong because local memory prevents scaling. B is wrong because DynamoDB is a database, not a caching layer for session state.

D is wrong because it does not solve the issue of session persistence across containers.

1506
MCQhard

A company is designing a serverless application that uses AWS Lambda to process events from Amazon DynamoDB Streams. The Lambda function updates an Amazon RDS for MySQL database. The company expects a high volume of updates and is concerned about the Lambda function causing too many connections to the database. How should the company design the solution to manage the database connection pool effectively?

A.Increase the Lambda function timeout and use a single database connection per function instance.
B.Use Amazon RDS Proxy to pool database connections, and configure the Lambda function to connect through the proxy.
C.Use a singleton Lambda function with a reserved concurrency of 1 to ensure only one connection is used.
D.Use a Lambda function that batches records from DynamoDB Streams and uses a single database connection per batch.
AnswerB

RDS Proxy efficiently manages connection pooling and reduces load on the database.

Why this answer

Option D is correct because Lambda functions should not maintain persistent connections across invocations; using RDS Proxy manages connection pooling. Option A is not possible in Lambda. Option B is not recommended because Lambda can scale rapidly.

Option C does not solve the connection pooling issue.

1507
Multi-Selecthard

A company has a production AWS account with multiple VPCs connected via a Transit Gateway. The security team wants to centrally inspect all traffic between VPCs using a third-party firewall appliance. The firewall must be able to process traffic, and the solution must be highly available. Which THREE steps should the company take?

Select 3 answers
A.Attach Elastic Network Interfaces (ENIs) of the firewall instances to the inspection VPC subnets.
B.Configure the Transit Gateway to propagate routes directly between VPCs.
C.Deploy the firewall appliance as an EC2 instance in each AZ, with auto scaling groups.
D.Use a single route table in the Transit Gateway for all VPC attachments.
E.Create a dedicated inspection VPC with firewall instances in different Availability Zones.
AnswersA, C, E

ENIs are required for traffic to pass through the firewall.

Why this answer

Options A, B, and D are correct: A creates an inspection VPC, B places instances across AZs for HA, and D uses ENIs in each subnet. Option C is wrong because a single route table limits HA. Option E is wrong because it bypasses inspection.

1508
MCQmedium

A global company is using a multi-account AWS Organizations setup with a centralized logging account. They want to aggregate CloudTrail logs from all accounts into a single S3 bucket in the logging account. Which combination of steps will meet this requirement?

A.Create an IAM role in each account that allows the logging account to assume and copy logs. Schedule a Lambda function to copy logs hourly.
B.Create an S3 bucket in the logging account with a bucket policy that grants read/write access to all accounts. Configure each account's CloudTrail to deliver to that bucket.
C.Create a CloudTrail trail in the management account that applies to all accounts in the organization, and specify the S3 bucket in the logging account as the destination.
D.Enable AWS Config in each account and stream configuration history to a centralized S3 bucket.
AnswerC

Organization trails deliver logs from all accounts to a single bucket.

Why this answer

Option C is correct because AWS Organizations allows you to create a single CloudTrail trail in the management account that automatically applies to all member accounts. By specifying the S3 bucket in the centralized logging account as the destination, CloudTrail delivers logs from every account directly to that bucket without needing cross-account IAM roles or manual copying. This leverages the organization trail feature, which simplifies log aggregation and ensures consistent logging across the entire organization.

Exam trap

The trap here is that candidates often assume they need to configure CloudTrail in each account individually or use cross-account IAM roles to copy logs, but AWS Organizations provides a native organization trail feature that automatically aggregates logs from all accounts into a single S3 bucket in a centralized logging account.

How to eliminate wrong answers

Option A is wrong because it introduces unnecessary complexity and latency by requiring an IAM role in each account and a scheduled Lambda function to copy logs hourly, which is not real-time and violates the principle of least privilege by granting cross-account copy permissions. Option B is wrong because CloudTrail does not support delivering logs to an S3 bucket in a different account using a bucket policy that grants read/write access to all accounts; CloudTrail requires the destination bucket to be in the same account as the trail or uses an organization trail with a bucket policy that grants CloudTrail service principal write access, not all accounts. Option D is wrong because AWS Config streams configuration history and changes, not CloudTrail logs, and it does not aggregate CloudTrail API activity logs; it serves a different purpose for compliance and resource tracking.

1509
MCQmedium

Refer to the exhibit. A solutions architect runs the CLI command and gets the output shown. What does the state 'running' indicate about the instance?

A.The instance is pending.
B.The instance is stopped.
C.The instance is running and has passed its status checks.
D.The instance is terminated.
AnswerC

Running means the instance is operational.

Why this answer

The CLI command `aws ec2 describe-instance-status` returns the instance state as 'running' and the instance status as 'ok'. The 'running' state in the output refers to the EC2 instance's lifecycle state, but the question specifically asks what the 'running' state indicates about the instance. In the context of `describe-instance-status`, the 'running' state shown is the instance's lifecycle state, which means the instance is powered on and has passed its initial boot.

However, the correct interpretation here is that the instance is running and has passed its status checks (both system status and instance status are 'ok'), as indicated by the full output. Option C is correct because the output shows the instance is in the 'running' state and all status checks have passed.

Exam trap

The trap here is that candidates often confuse the instance lifecycle state (e.g., 'running') with the status check results, assuming 'running' alone implies full health, but the question requires recognizing that the output also includes 'InstanceStatus: ok' and 'SystemStatus: ok', which together confirm the instance is running and has passed its status checks.

How to eliminate wrong answers

Option A is wrong because 'pending' is a separate lifecycle state that occurs when an instance is starting up, not when it is already running; the output explicitly shows 'running', not 'pending'. Option B is wrong because 'stopped' is a different lifecycle state where the instance is shut down and not running; the output shows 'running', so the instance is not stopped. Option D is wrong because 'terminated' is a final lifecycle state where the instance is permanently deleted and cannot be started; the output shows 'running', so the instance is not terminated.

1510
Multi-Selectmedium

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application experiences high latency during peak hours. The operations team suspects that the instances are overloaded. Which TWO actions should the team take to improve performance and scalability? (Choose two.)

Select 2 answers
A.Increase the Auto Scaling group's desired capacity to a higher fixed value.
B.Configure an Application Load Balancer in front of the Auto Scaling group.
C.Switch to a different Amazon Machine Image (AMI) with optimized performance.
D.Launch the Auto Scaling group in multiple Availability Zones.
E.Increase the instance size to a larger type.
AnswersB, D

ALB distributes traffic evenly across instances.

Why this answer

Option B is correct because adding an ALB distributes traffic across instances. Option D is correct because launching instances across multiple AZs improves availability and scalability. Option A is wrong because larger instances may not help if the issue is concurrency.

Option C is wrong because increasing desired capacity without a load balancer may cause uneven distribution. Option E is wrong because changing the AMI does not directly improve performance.

1511
MCQmedium

A company is designing a new microservices application on AWS. The application consists of several services that need to communicate asynchronously. One service generates orders and sends them to a processing service. The order volume can vary significantly, and the processing service must scale independently. The company wants to use a managed service to decouple the services and ensure that messages are not lost. The processing service is written in Python and runs on AWS Lambda. The solutions architect needs to design the message delivery mechanism. The architect decides to use Amazon SQS. However, the Lambda function sometimes fails to process a message due to a transient error, and the message should be retried. After a maximum of three retries, the message should be moved to a dead-letter queue for analysis. Which configuration should the architect use?

A.Configure the SQS DLQ with a redrive policy that allows messages to be sent back to the source queue after 3 retries.
B.Configure the SQS queue with a visibility timeout of 6 minutes and a redrive policy with maxReceiveCount of 3, pointing to a DLQ.
C.Configure the SQS queue with a visibility timeout of 30 seconds and a redrive policy with maxReceiveCount of 3, pointing to a DLQ.
D.Configure Lambda with a reserved concurrency of 1 and set the SQS queue's redrive policy to maxReceiveCount of 3.
AnswerB

Visibility timeout should be at least 6 times the Lambda timeout (default 1 minute) to allow retries; maxReceiveCount=3 moves to DLQ after 3 retries.

Why this answer

Amazon SQS supports redrive policy with maxReceiveCount to specify the number of retries before moving to a DLQ. Setting maxReceiveCount to 3 and specifying a DLQ ARN meets the requirement. Option B is correct.

Option A is wrong because setting the visibility timeout too high delays retries. Option C is wrong because Lambda's retry behavior is separate; SQS handles retries via visibility timeout. Option D is wrong because DLQ must be configured on the source queue, not the DLQ itself.

1512
MCQhard

A migration engineer is setting up an AWS DMS task to migrate data from an on-premises Oracle database to Amazon RDS for PostgreSQL. The engineer attaches this IAM policy to the DMS service role. The DMS task fails with an error indicating insufficient privileges. What is the most likely cause?

A.The policy does not allow the s3:ListBucket action for the S3 bucket
B.The policy does not allow the dms:TestConnection action
C.The policy does not allow the dms:CreateEndpoint action
D.The policy does not allow the rds:ModifyDBInstance action
AnswerC

Correct. DMS needs permissions to create and describe endpoints for the source and target.

Why this answer

DMS needs permission to describe endpoints and test connections, which are not in the policy. The policy allows creating and starting tasks but not the prerequisite actions like creating endpoints. S3 access is correct if using S3 as a source/target, but the core issue is missing endpoint permissions.

1513
MCQhard

A company is designing a disaster recovery solution for a critical database using Amazon RDS Multi-AZ. However, they also need to protect against regional failures. Which additional AWS service should they use?

A.RDS Multi-AZ in the same region
B.RDS Cross-Region Read Replicas
C.Amazon S3
D.AWS Database Migration Service
AnswerB

Provides a readable replica in another region for DR.

Why this answer

Option B is correct because RDS Cross-Region Read Replicas provide a secondary database in another region for DR. Option A is wrong because Multi-AZ only protects within a single region. Option C is wrong because DMS is for migration, not DR.

Option D is wrong because S3 is not a database DR solution.

1514
MCQeasy

A company has an S3 bucket policy as shown in the exhibit. The bucket 'my-bucket' is owned by account 111111111111. What access does this policy grant to account 123456789012?

A.Full S3 access to the bucket and objects for the root user of account 123456789012.
B.Full S3 access to the bucket and objects for all IAM users in account 123456789012.
C.No access because the root user is not allowed.
D.Read-only access to the bucket.
AnswerA

The policy grants s3:* to the root user of the specified account.

Why this answer

Option A is correct. The policy allows the root user of account 123456789012 to perform all S3 actions on the bucket and its objects. Option B is wrong because the policy does not restrict to a specific user.

Option C is wrong because the root user is allowed. Option D is wrong because the policy explicitly allows all actions.

1515
MCQmedium

A company is migrating a batch processing workload to AWS. The workload runs on a scheduled basis and processes large files from an on-premises NFS share. The company wants to use AWS services to replace the on-premises server and minimize operational overhead. Which solution is MOST suitable?

A.Use AWS Lambda to directly read from the NFS share over VPN and process the files.
B.Mount the on-premises NFS share to Amazon EFS using AWS Direct Connect, and use AWS Batch with AWS Fargate to process the files.
C.Use AWS Snowball Edge to transfer files to Amazon S3 and then process with EC2 instances.
D.Use AWS DataSync to copy files to Amazon S3 and trigger an AWS Lambda function to process.
AnswerB

Serverless, scheduled processing with minimal overhead.

Why this answer

Option C is correct because AWS Batch with Fargate is serverless and integrates with EFS, which can be mounted to replace NFS. Option A is wrong because Snowball is not for ongoing processing. Option B is wrong because DataSync does not process data.

Option D is wrong because Lambda has execution time limits and file size limits.

1516
MCQmedium

A company has a multi-account environment with a central security account. They want to use AWS Security Hub to aggregate findings from all accounts. What is the correct setup?

A.Set up Amazon EventBridge to forward findings from each account to the central account.
B.Use Amazon CloudWatch cross-account dashboards to view findings.
C.Enable AWS Config aggregator in the central account.
D.Enable Security Hub in the central account and invite member accounts to enable Security Hub.
AnswerD

This is the standard way to aggregate findings in Security Hub.

Why this answer

Option D is correct because AWS Security Hub uses a multi-account architecture where a central administrator account invites member accounts to enable Security Hub. This allows the administrator account to aggregate findings, insights, and compliance scores from all member accounts into a single view, enabling centralized security monitoring without additional forwarding infrastructure.

Exam trap

The trap here is that candidates confuse Security Hub's multi-account model with other aggregation services like AWS Config aggregator or CloudWatch cross-account dashboards, assuming any cross-account aggregation tool can consolidate Security Hub findings, when in fact Security Hub requires its own dedicated multi-account feature.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge can forward events but is not the native mechanism for Security Hub multi-account aggregation; Security Hub uses its own invitation-based model, and EventBridge would require custom event buses and rules, adding unnecessary complexity and missing native cross-account finding consolidation. Option B is wrong because Amazon CloudWatch cross-account dashboards aggregate metrics and logs, not Security Hub findings; Security Hub findings are not stored in CloudWatch Logs or Metrics by default, so dashboards cannot display them. Option C is wrong because AWS Config aggregator aggregates AWS Config rules and compliance data across accounts, not Security Hub findings; Security Hub findings are separate from AWS Config and require Security Hub's own multi-account enablement.

1517
MCQhard

A global company is using AWS Organizations with hundreds of accounts. The IT team needs to centrally manage DNS records for all accounts using Amazon Route 53 private hosted zones. The solution must be highly available and support cross-account DNS resolution. What should the team do?

A.Create a private hosted zone in the central account and configure Route 53 Resolver rules in each account to forward queries to the central account.
B.Create a private hosted zone in each account and configure Route 53 inbound endpoints in the central account to accept DNS queries.
C.Create a private hosted zone in the central account, associate it with a central VPC, and configure Route 53 Resolver outbound endpoints in each account to forward DNS queries to the central account.
D.Create a private hosted zone in each account and use Route 53 zone sharing to share it with the central account.
AnswerC

Resolver endpoints enable cross-account DNS resolution.

Why this answer

Option B is correct because using a Route 53 Resolver outbound endpoint in the central account and associating the private hosted zone with the shared VPC allows cross-account DNS resolution. Option A is wrong because sharing the entire private hosted zone with all accounts is not possible. Option C is wrong because Route 53 inbound endpoints only handle DNS queries from on-premises.

Option D is wrong because using Route 53 Resolver rules is part of the correct solution but the zone still needs to be associated with the central VPC.

1518
Multi-Selecthard

A company is designing a new disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The solution must have a Recovery Time Objective (RTO) of less than 15 minutes and a Recovery Point Objective (RPO) of less than 5 minutes. The application data is stored on Amazon EBS volumes. Which THREE steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
A.Create Amazon Machine Images (AMIs) with pre-installed software and use AWS Backup to automate recovery in another region.
B.Use Amazon EBS snapshots and replicate them to another AWS Region using cross-region snapshot copy.
C.Use AWS CloudEndure Disaster Recovery to continuously replicate the EC2 instances to another region.
D.Enable Amazon S3 cross-region replication for the EBS snapshots.
E.Use AWS Database Migration Service (DMS) to replicate data to a secondary region.
AnswersA, B, C

AWS Backup can create AMI backups and support cross-region copy and restore.

Why this answer

Option A is correct because creating AMIs with pre-installed software and using AWS Backup to automate recovery in another region enables rapid instance launch with all required software already configured, supporting an RTO of under 15 minutes. AWS Backup can automate cross-region AMI copying and recovery, ensuring the RPO of less than 5 minutes is met when combined with frequent backup schedules.

Exam trap

The trap here is that candidates may confuse S3 cross-region replication (which works only for S3 objects) with the cross-region snapshot copy feature for EBS, leading them to select option D incorrectly.

1519
MCQhard

A company uses AWS Organizations with hundreds of accounts. The security team needs to ensure that no IAM user in any account can create a new IAM user or access key. What is the most scalable way to enforce this?

A.Use AWS Config rules to detect and automatically delete any new users or keys.
B.Enable AWS CloudTrail and create a metric filter to alert on these actions.
C.Attach an IAM policy to the Administrator role in each account that denies these actions.
D.Apply a service control policy (SCP) that denies the iam:CreateUser and iam:CreateAccessKey actions.
AnswerD

SCPs apply to all principals in the account.

Why this answer

Service control policies (SCPs) are the most scalable way to enforce restrictions across all accounts in an AWS Organization because they apply to all IAM users and roles in every member account, including the root user. By denying the iam:CreateUser and iam:CreateAccessKey actions at the organization root or OU level, the security team can prevent any IAM user from creating new users or access keys without needing to manage individual account policies or rely on reactive measures.

Exam trap

The trap here is that candidates often choose Option C because they think attaching a deny policy to the Administrator role is sufficient, but they overlook that SCPs are the only mechanism that can restrict the root user and scale across hundreds of accounts without per-account management.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are reactive—they detect non-compliant resources after creation and can trigger auto-remediation, but they do not prevent the action from occurring, leaving a window where the user or key exists and could be used. Option B is wrong because CloudTrail with metric filters and alerts only provides notification after the fact; it does not block the action, so the security violation still occurs. Option C is wrong because attaching an IAM policy to the Administrator role in each account is not scalable for hundreds of accounts—it requires manual per-account configuration and does not prevent actions by the root user or other roles that might bypass the policy.

1520
MCQmedium

A company runs a stateful web application on EC2 instances in an Auto Scaling group. The application uses a shared EFS file system for persistent data. The operations team notices that during scale-in events, some requests fail because the instance is terminated while still processing. What is the BEST way to prevent request failures during scale-in?

A.Use a Network Load Balancer with connection draining enabled
B.Increase the cooldown period for the Auto Scaling group
C.Decrease the scale-in threshold to reduce the frequency of termination
D.Use lifecycle hooks to put the instance in a 'terminating:wait' state and complete request processing
AnswerD

Lifecycle hooks allow graceful shutdown.

Why this answer

Option C is correct because lifecycle hooks allow the Auto Scaling group to wait for a custom action (e.g., drain connections) before terminating an instance. Option A (increase cooldown) delays scaling but does not prevent interruption. Option B (decrease scale-in threshold) reduces the chance but not the issue.

Option D (use a Network Load Balancer) does not help with instance termination.

1521
MCQhard

A company is designing a new data lake solution on AWS using Amazon S3 as the storage layer. The data lake will be used by multiple teams for analytics and machine learning. The company needs to enforce fine-grained access control at the object level, enable auditing of data access, and ensure that sensitive data is masked for unauthorized users. Which combination of AWS services should be used?

A.Use S3 bucket policies and S3 access logs for auditing.
B.Use Amazon Macie to discover sensitive data and apply S3 bucket policies to restrict access.
C.Use IAM policies with condition keys and enable AWS CloudTrail for auditing.
D.Use AWS Lake Formation for fine-grained access control and auditing, and Amazon S3 Object Lambda to mask data on the fly.
AnswerD

Lake Formation provides row/column-level security and auditing; S3 Object Lambda can transform data for masking.

Why this answer

Option D is correct because AWS Lake Formation provides fine-grained access control at the column, row, and cell level for data in S3, and it integrates with AWS CloudTrail for auditing data access. Amazon S3 Object Lambda can transform data on the fly, such as masking sensitive fields, before returning it to the requester, meeting the requirement to mask data for unauthorized users.

Exam trap

The trap here is that candidates often assume IAM policies or S3 bucket policies alone can achieve fine-grained access control, but they lack the column/row-level granularity and dynamic data masking that Lake Formation and S3 Object Lambda provide.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies alone cannot enforce fine-grained access control at the object level (e.g., column or row level), and S3 access logs provide basic request logging but lack the granular auditing and data masking capabilities required. Option B is wrong because Amazon Macie discovers sensitive data but does not enforce access control or mask data; S3 bucket policies are too coarse for fine-grained control and cannot mask data on the fly. Option C is wrong because IAM policies with condition keys can restrict access based on attributes like tags or IP, but they cannot provide column/row-level permissions or mask sensitive data; AWS CloudTrail logs API calls but does not enable real-time data masking.

1522
MCQhard

A company is migrating a legacy monolithic application to a microservices architecture on AWS. The application has a relational database with complex queries. The team wants to minimize changes to the existing codebase. Which database migration strategy should be recommended?

A.Use Amazon RDS for MySQL or PostgreSQL with read replicas.
B.Use Amazon Aurora Serverless to reduce management.
C.Store data in Amazon S3 and use Athena for queries.
D.Migrate to Amazon DynamoDB for scalability.
AnswerA

RDS maintains SQL compatibility, minimizing code changes.

Why this answer

Option C is correct because using Amazon RDS (same database engine) minimizes code changes as the application can connect via standard drivers. Option A is wrong because DynamoDB requires schema redesign. Option B is wrong because Aurora Serverless may require driver changes.

Option D is wrong because S3 is for files.

1523
Multi-Selecthard

A company is migrating to a multi-account AWS environment. They want to centralize DNS management using Amazon Route 53 private hosted zones. The private zones must be accessible from all VPCs in the organization. Which THREE steps are required to achieve this?

Select 3 answers
A.Create a private hosted zone in the central networking account.
B.Share the private hosted zone with other accounts using AWS Resource Access Manager.
C.Create a public hosted zone with the same name and configure DNSSEC.
D.Associate the private hosted zone with the VPCs in the member accounts.
E.Create a Route 53 Resolver outbound endpoint in each account.
AnswersA, B, D

Central account holds the zone.

Why this answer

Option A is correct because a private hosted zone must be created in a central networking account to serve as the authoritative DNS namespace for the organization's internal resources. This central account acts as the zone owner, allowing the zone to be associated with VPCs across multiple accounts via AWS Resource Access Manager (RAM).

Exam trap

The trap here is that candidates often confuse the need for a public hosted zone or outbound endpoints with the simpler mechanism of sharing a private hosted zone via AWS RAM and associating it with VPCs, leading them to select unnecessary or incorrect options.

1524
MCQmedium

A company is migrating a monolithic e-commerce application to AWS. The application consists of a web frontend, a REST API, and a PostgreSQL database. The migration plan is to containerize the frontend and API using Amazon ECS with Fargate, and use Amazon RDS for PostgreSQL. The company expects variable traffic with peak loads during promotional events. The architecture must be highly available and cost-effective. The operations team wants to minimize manual scaling interventions. Which solution should a Solutions Architect recommend?

A.Deploy the API and frontend on Amazon ECS with Fargate. Use Application Auto Scaling with target tracking based on average CPU and memory utilization. Use Amazon DynamoDB for the database with on-demand capacity mode.
B.Deploy the API and frontend on Amazon ECS with Fargate. Use Application Auto Scaling with target tracking based on average CPU and memory utilization. Use Amazon RDS for PostgreSQL with Multi-AZ deployment and Auto Scaling for storage.
C.Deploy the API and frontend on Amazon EC2 instances behind an Application Load Balancer. Use Auto Scaling groups with dynamic scaling policies. Use Amazon RDS for PostgreSQL with Multi-AZ deployment.
D.Deploy the API and frontend on Amazon ECS with Fargate. Configure a scheduled task to scale out during known promotional events. Use Amazon RDS for PostgreSQL with Multi-AZ deployment.
AnswerB

ECS with Fargate and target tracking scaling provides automated, cost-effective scaling without over-provisioning.

Why this answer

Option D is correct because it combines ECS with Auto Scaling using target tracking based on CPU/memory, which is cost-effective and handles variable traffic automatically. Option A is wrong because ECS with manual scaling is not automated. Option B is wrong because DynamoDB is not the right database for this relational workload.

Option C is wrong because EC2 instances with Auto Scaling add management overhead and Fargate is more serverless.

1525
MCQeasy

A company is designing a new web application that will be deployed on AWS. The application consists of an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances running a web server. The application must be highly available across multiple Availability Zones. The company expects variable traffic patterns, including sudden spikes. The operations team wants to minimize manual intervention. The application stores session state in a shared data store. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. The company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates. The ALB must terminate SSL/TLS connections. Which combination of actions should the company take to meet these requirements?

A.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS on port 443 using the same ACM certificate. Configure health checks on the target group to use HTTP on port 80 with path /health.
B.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTP health checks on port 80.
C.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS on port 443 using a self-signed certificate. Configure health checks to use HTTPS on port 443.
D.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS health checks on port 443 using a separate ACM certificate.
AnswerA

This encrypts backend traffic, uses ACM for backend (same cert), and health checks use HTTP to avoid certificate issues.

Why this answer

Option A is correct because it meets all requirements: the ALB terminates SSL/TLS using an ACM certificate on an HTTPS listener, encrypts traffic between ALB and EC2 instances by using HTTPS on the target group with the same ACM certificate (mutual TLS is not required; the ALB re-encrypts using the same certificate), and uses HTTP health checks on port 80 to avoid certificate validation issues during health checks. This ensures end-to-end encryption, high availability across multiple AZs, and minimizes manual intervention by automating certificate management with ACM.

Exam trap

The trap here is that candidates often assume health checks must use the same protocol as the target group traffic, but AWS recommends using HTTP health checks even for HTTPS target groups to avoid certificate validation failures and ensure reliable health monitoring.

How to eliminate wrong answers

Option B is wrong because it configures the target group with HTTP health checks on port 80 but does not specify HTTPS for the target group traffic, leaving traffic between the ALB and EC2 instances unencrypted, violating the security requirement. Option C is wrong because it uses a self-signed certificate for the target group HTTPS, which would cause the ALB to reject the certificate during health checks and traffic forwarding (ALB requires trusted certificates for HTTPS target groups), and health checks using HTTPS on port 443 would fail due to certificate validation issues. Option D is wrong because it uses a separate ACM certificate for the target group HTTPS health checks, which is unnecessary and introduces complexity; the same ACM certificate can be used, and health checks should use HTTP to avoid certificate validation overhead and ensure reliable health monitoring.

1526
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. They have a stack that creates an Amazon RDS for MySQL database. The stack creation fails with the error 'The following resource(s) failed to create: [DBInstance]'. The solutions architect needs to troubleshoot the issue. Which approach should be taken first?

A.Review the CloudFormation stack events in the AWS Management Console.
B.Check the RDS console for any database events.
C.Delete the stack and deploy again with the same parameters.
D.Use AWS CloudTrail to view the CreateStack API call.
AnswerA

Stack events provide the specific failure reason.

Why this answer

Option B is correct because CloudFormation logs events that include detailed status reasons for resource failures. Option A is wrong because RDS events might not capture the specific CloudFormation-related failure. Option C is wrong because deleting the stack is premature without understanding the cause.

Option D is wrong because CloudTrail logs API calls, but the failure reason is in CloudFormation events.

1527
MCQeasy

A company is designing a new web application that will be accessed by users worldwide. The application should have low latency and high availability. The application uses a stateless web tier and a relational database. Which architecture minimizes latency for global users?

A.Deploy the application in multiple regions with Route 53 latency-based routing, and use Amazon Aurora Global Database for the database tier.
B.Deploy the application in a single region and use Route 53 geolocation routing.
C.Deploy the application in multiple regions, use CloudFront to cache static content, and route dynamic requests to the nearest region via Route 53 latency-based routing.
D.Deploy the application in a single region and use Amazon CloudFront to cache content globally.
AnswerA

Aurora Global Database allows reads from local regions, reducing latency for read-heavy workloads.

Why this answer

Using Amazon Route 53 with latency-based routing to direct users to the closest region, and deploying the application in multiple regions with a global database, minimizes latency. Option D is correct. Option A is wrong because CloudFront alone doesn't handle dynamic content efficiently for all use cases.

Option B is wrong because a single region cannot provide low latency globally. Option C is wrong because CloudFront can cache static content but dynamic requests still go to origin.

1528
MCQmedium

Refer to the exhibit. A solutions architect runs the CLI command to list EC2 instances. The output shows three instances. The architect wants to start the stopped instance and ensure it retains its instance store data. What should the architect do?

A.Modify the instance type to one that supports instance store, then start the instance.
B.Detach the instance store volume and attach it to a running instance.
C.Create an AMI from the stopped instance before starting it, then launch a new instance from the AMI.
D.Run `aws ec2 start-instances --instance-ids i-0a1b2c3d4e5f6g7h9` to start the instance.
AnswerC

But instance store data is not captured in AMI. Better to copy data to EBS beforehand.

Why this answer

Option B is correct. Instance store volumes are ephemeral and data is lost when the instance is stopped. To retain data, the architect must move the data to an EBS volume or another persistent store.

Option A is wrong because starting the instance will not recover instance store data. Option C is wrong because instance store volumes cannot be detached. Option D is wrong because changing the instance type does not affect instance store persistence.

1529
Multi-Selectmedium

A company is planning a large-scale migration of hundreds of applications to AWS. Which TWO strategies should the architect consider to reduce migration risks?

Select 2 answers
A.Use only the rehosting strategy for all applications
B.Migrate all applications in a single wave to reduce coordination effort
C.Use a wave-based migration approach with defined groups and dependencies
D.Conduct a pilot migration of a small subset of applications
E.Roll back all migrations if any application experiences issues
AnswersC, D

Wave-based migration allows controlled, incremental migration.

Why this answer

A pilot migration allows testing the process on a small set of applications. A wave-based approach groups applications for migration and helps manage dependencies. Rolling back all migrations if issues occur is not practical.

Migrating all at once increases risk. Using only rehosting may not be optimal for all applications.

1530
MCQmedium

A company is designing a new serverless application on AWS. The application consists of multiple AWS Lambda functions that process incoming events from an Amazon SQS queue. The company wants to ensure that each message is processed exactly once. Which configuration should the company use?

A.Use a standard SQS queue and set the Lambda function reserved concurrency to 1.
B.Use an SQS FIFO queue and enable content-based deduplication.
C.Use a standard SQS queue and configure Lambda destinations for the queue.
D.Use an SQS FIFO queue and configure DynamoDB Streams as the event source for Lambda.
AnswerB

SQS FIFO queues support exactly-once processing when combined with deduplication IDs.

Why this answer

Option B is correct because SQS FIFO queues guarantee exactly-once processing. Option A is wrong because standard SQS queues do not guarantee exactly-once. Option C is wrong because Lambda destination is for success/failure, not exactly-once.

Option D is wrong because DynamoDB Streams are not for SQS.

1531
MCQmedium

A company is running a web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application experiences periodic traffic spikes that cause increased latency. The company wants to implement a solution to automatically adjust capacity in anticipation of traffic changes. What should a solutions architect do?

A.Configure a simple scaling policy based on CPU utilization.
B.Configure a scheduled scaling policy to add instances during known peak hours.
C.Configure a target tracking scaling policy based on average CPU utilization.
D.Configure a predictive scaling policy using historical traffic patterns.
AnswerD

Predictive scaling uses machine learning to forecast traffic and proactively scale.

Why this answer

Predictive scaling uses historical traffic patterns to forecast future demand and proactively adjust capacity before traffic spikes occur, which directly addresses the requirement to anticipate changes. This approach reduces latency by ensuring sufficient resources are available ahead of time, unlike reactive policies that only respond after utilization increases.

Exam trap

The trap here is that candidates often confuse reactive scaling policies (simple, step, or target tracking) with proactive predictive scaling, assuming that maintaining a target metric like CPU utilization is sufficient to handle anticipated spikes, but only predictive scaling uses historical patterns to act before the load increases.

How to eliminate wrong answers

Option A is wrong because a simple scaling policy based on CPU utilization is reactive, only adjusting capacity after a threshold is breached, which cannot anticipate traffic spikes and may still cause latency during the scaling cooldown period. Option B is wrong because scheduled scaling assumes fixed peak hours, but the scenario describes periodic spikes that may not follow a strict schedule, making it inflexible and potentially wasteful or insufficient. Option C is wrong because target tracking scaling, while more sophisticated than simple scaling, is still reactive—it maintains a target metric (e.g., average CPU) but does not proactively forecast demand, so it cannot eliminate latency during sudden spikes.

1532
MCQeasy

A company wants to automate the migration of on-premises servers to AWS. The migration plan includes discovery, assessment, and automated replication. Which AWS service should the company use?

A.AWS CloudEndure Migration
B.AWS Migration Hub
C.AWS Schema Conversion Tool
D.AWS Database Migration Service
AnswerB

Central tracking and orchestration of migrations.

Why this answer

Option D is correct because AWS Migration Hub provides a single place to track migrations and integrates with tools like Server Migration Service and DMS. Option A (CloudEndure) is now part of MGN. Option B (SCT) is for databases.

Option C (DMS) is for databases.

1533
MCQmedium

A solutions architect sees this output from the AWS CLI. The management account (111111111111) has a service control policy (SCP) attached that denies all actions unless the request originates from a specific IP range. Which account(s) are affected by this SCP?

A.Only the ProductionAccount (222222222222).
B.Neither account.
C.Both accounts.
D.The ManagementAccount (111111111111) only.
AnswerA

SCPs do not apply to the management account.

Why this answer

Option A is correct because SCPs attached to the root or OU affect all member accounts, but not the management account itself. The management account (111111111111) is not affected by SCPs. Option B is wrong because the management account is not affected.

Option C is wrong because the production account is a member account and is affected. Option D is wrong because only the production account is affected.

1534
MCQeasy

A small business is migrating its on-premises infrastructure to AWS. The current environment consists of two VMs running a LAMP stack (Linux, Apache, MySQL, PHP) and a separate file server. The business has limited IT staff and wants to minimize operational overhead. They also want to ensure high availability for the web application. The company has a modest budget and is looking for a cost-effective solution. You need to design the migration. Which approach should be taken?

A.Migrate the VMs to two EC2 instances in an Auto Scaling group behind an ALB. Use RDS for MySQL Multi-AZ.
B.Use Amazon Lightsail to host the entire application on a single instance with a managed database.
C.Use AWS Elastic Beanstalk to deploy the web application. Use Amazon RDS for MySQL Multi-AZ for the database. Use S3 for file storage.
D.Containerize the application and run on Amazon ECS with Fargate. Use Amazon RDS for MySQL.
AnswerC

Minimizes operational overhead and provides high availability.

Why this answer

Option B is correct because using Elastic Beanstalk for the web tier and RDS for MySQL provides high availability with minimal management. Option A is wrong because two EC2 instances require more management. Option C is wrong because Lightsail is not highly available.

Option D is wrong because ECS Fargate is more complex and costly for a small business.

1535
Multi-Selecteasy

A company is designing a new application that will run on Amazon ECS with Fargate. The application needs to store files in Amazon S3. The company has a strict security requirement that the application must not have any long-term credentials stored in the container image or environment variables. Which THREE steps should the company take to meet this requirement? (Choose THREE.)

Select 3 answers
A.Store AWS access keys in AWS Secrets Manager and retrieve them at runtime.
B.Create an IAM role with permissions to access the S3 bucket.
C.Attach the IAM role to the ECS task definition as the task role.
D.Enable the ECS task execution role to pass the task role to the container.
E.Configure the application to use the AWS CLI with environment variables for credentials.
AnswersB, C, D

The task role will assume this role to get temporary credentials.

Why this answer

IAM roles for tasks allow containers to obtain temporary credentials. An IAM policy with S3 permissions is attached to the role. The task definition must include a taskRoleArn.

Option A, B, and D are correct. Option C is wrong because storing credentials in Secrets Manager still requires credentials to access the secret. Option E is wrong because AWS CLI will automatically use credentials from the task role, no configuration needed.

1536
MCQmedium

A company is migrating a batch processing workload to AWS. The workload runs a Java application that processes files from an S3 bucket. The company wants to minimize operational overhead. Which AWS service should the company use to run the Java application?

A.Amazon EC2
B.Amazon ECS with EC2 launch type
C.AWS Batch
D.AWS Lambda
AnswerD

Lambda is serverless and can process files triggered by S3 events.

Why this answer

Option B is correct because AWS Lambda can run Java code triggered by S3 events, with no servers to manage. Option A is wrong because Amazon ECS requires cluster management. Option C is wrong because Amazon EC2 requires instance management.

Option D is wrong because AWS Batch is for batch jobs but still requires compute resources.

1537
MCQeasy

A company is using AWS Config to evaluate resource compliance. They want to receive notifications when a noncompliant resource is detected. Which AWS service should be used to send these notifications to an email endpoint?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon CloudWatch Events
D.AWS Lambda
AnswerB

SNS can send email notifications directly.

Why this answer

Option A is correct because Amazon SNS can send email notifications when triggered by AWS Config rules. Option B is wrong because SQS is a queue, not for direct email. Option C is wrong because Lambda can process notifications but not directly send email to multiple recipients without SNS.

Option D is wrong because CloudWatch Events can trigger actions but not directly send email.

1538
MCQmedium

A company is migrating a legacy .NET Framework 4.7 web application to AWS. The application currently runs on Windows Server 2012 R2 with IIS and uses SQL Server Express for local storage. The company wants to minimize re-architecture and reduce operational overhead. Which migration strategy should the company use?

A.Retire the application and replace it with a SaaS-based solution.
B.Refactor the application to use .NET Core and deploy on Linux containers with Amazon ECS.
C.Replatform the application to use AWS Elastic Beanstalk with a SQL Server Express Multi-AZ RDS instance.
D.Rehost the application on Amazon EC2 Windows instances using an AWS Migration Acceleration Program (MAP) partner tool.
AnswerD

Rehosting lifts and shifts the application with minimal changes, reducing operational overhead.

Why this answer

Option D is correct because rehosting (lift-and-shift) the .NET Framework 4.7 application to Amazon EC2 Windows instances minimizes re-architecture and reduces operational overhead. The application is tightly coupled to Windows Server and IIS, and SQL Server Express is a local database; rehosting preserves the existing architecture without code changes. Using an AWS MAP partner tool streamlines the migration process, aligning with the goal of minimizing changes.

Exam trap

The trap here is that candidates may choose replatforming (Option C) thinking it reduces overhead, but it actually requires modifying the database connection string and handling Multi-AZ failover, which adds re-architecture effort beyond a simple lift-and-shift.

How to eliminate wrong answers

Option A is wrong because retiring the application and replacing it with a SaaS solution would require significant re-architecture and business process changes, contradicting the goal to minimize re-architecture. Option B is wrong because refactoring to .NET Core and deploying on Linux containers with Amazon ECS would require substantial code changes and re-architecture, which the company wants to avoid. Option C is wrong because replatforming to AWS Elastic Beanstalk with a SQL Server Express Multi-AZ RDS instance still requires modifying the application to use a remote database instead of local SQL Server Express, introducing re-architecture and increased operational complexity.

1539
MCQmedium

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. They need to ensure that users can authenticate to AWS resources using their existing corporate credentials. What is the MOST secure and scalable solution?

A.Federate using SAML 2.0 with on-premises ADFS and map AD groups to IAM roles.
B.Deploy AD Connector in each VPC to proxy authentication requests to on-premises Active Directory.
C.Set up AWS Managed Microsoft AD and establish a trust with the on-premises Active Directory. Use IAM roles to grant access based on AD groups.
D.Use AWS Directory Service Simple AD and synchronize with on-premises Active Directory using AD Connector.
AnswerC

AWS Managed Microsoft AD supports trust relationships and can be used for IAM authentication.

Why this answer

Option C is correct because AWS Managed Microsoft AD can establish a forest trust with an on-premises Active Directory, allowing users to authenticate using their existing corporate credentials. This approach is secure (Kerberos-based trust, no password exposure) and scalable (AWS handles AD infrastructure). IAM roles can then be mapped to AD groups via SAML or IAM Identity Center for fine-grained access to AWS resources.

Exam trap

The trap here is that candidates often confuse AD Connector (a proxy) with a trust relationship, thinking it provides the same level of integration, but AD Connector does not support native Kerberos trusts or scalable authentication for AWS Managed Microsoft AD migration.

How to eliminate wrong answers

Option A is wrong because federating with SAML 2.0 and ADFS requires maintaining a separate federation infrastructure and does not directly integrate with AWS Managed Microsoft AD for native AD authentication; it also adds complexity without leveraging the trust relationship. Option B is wrong because AD Connector is a proxy that forwards authentication requests to on-premises AD, but it does not provide a scalable solution for migrating to AWS Managed Microsoft AD and introduces a single point of failure in each VPC. Option D is wrong because Simple AD is a standalone LDAP directory based on Samba 4, not compatible with Active Directory trusts or Kerberos authentication, and AD Connector cannot synchronize with Simple AD; it only proxies to on-premises AD.

1540
MCQeasy

A company wants to give its developers access to specific Amazon S3 buckets based on their team membership. The company uses AWS IAM Identity Center (successor to AWS SSO) for user management. Which approach should the company use to grant fine-grained access?

A.Create an IAM policy that allows access to specific buckets based on tags, and assign the policy to an IAM role that developers can assume.
B.Create separate IAM groups for each team and attach policies granting access to the appropriate buckets.
C.Use resource-based policies on the buckets to allow access from the IAM Identity Center users.
D.Use S3 bucket policies that grant access to specific IAM users based on their usernames.
AnswerA

ABAC with tags enables fine-grained, scalable access control.

Why this answer

Using attribute-based access control (ABAC) with IAM Identity Center allows dynamic permissions based on user attributes like team. Option B (IAM groups) is less dynamic. Option C (S3 bucket policies) is not tied to user attributes.

Option D (resource-based policies) is not scalable.

1541
MCQhard

A company has a serverless application using AWS Lambda functions that process messages from an Amazon SQS queue. The queue receives a burst of messages daily. The Lambda function sometimes times out, causing messages to return to the queue and be reprocessed. How can the company improve the application to handle the burst without reprocessing failures?

A.Reduce the batch size in the Lambda event source mapping.
B.Increase the Lambda function's reserved concurrency and timeout.
C.Increase the SQS visibility timeout to 6 minutes.
D.Configure a dead-letter queue for the SQS queue.
AnswerB

More concurrency handles the burst; longer timeout prevents premature failures.

Why this answer

Option B is correct because increasing the reserved concurrency ensures Lambda can scale to handle the burst. Option A is wrong because it does not address the timeout. Option C is wrong because DLQ is for failed messages after retries, not for avoiding reprocessing.

Option D is wrong because batch size reduction may increase timeouts.

1542
MCQeasy

A company is designing a serverless data processing pipeline using AWS Lambda functions. The pipeline processes messages from an Amazon SQS queue. Each message takes approximately 30 seconds to process, and the pipeline must handle bursts of up to 10,000 messages per minute. The messages must be processed in the order they are received. Which solution meets these requirements?

A.Use an SQS FIFO queue with a Lambda function that sets the Concurrency limit to 100.
B.Use an SQS FIFO queue with a Lambda function configured with a reserved concurrency of 1000.
C.Use an SQS Standard queue with a Lambda function that processes messages in batches.
D.Use an Amazon Kinesis Data Stream with a Lambda function that processes multiple records per invocation.
AnswerB

FIFO queues preserve order; Lambda with reserved concurrency avoids throttling.

Why this answer

SQS FIFO queues guarantee exactly-once processing and preserve message order. Lambda can poll the FIFO queue with a batch size of 1 to maintain order. Option A is correct.

Option B is wrong because Kinesis Data Streams does not guarantee order across shards. Option C is wrong because SQS Standard does not guarantee order. Option D is wrong because Lambda concurrency limits can cause throttling.

1543
MCQhard

A company is designing a new application that will process sensitive financial data. They need to ensure that data at rest is encrypted using customer-provided encryption keys (SSE-C) in Amazon S3. Which action is required to enable this?

A.Use AWS KMS to generate a key
B.Enable default encryption on the bucket
C.Provide the encryption key in the request headers
D.Configure a bucket policy to require SSE-C
AnswerC

SSE-C requires the key to be provided with each request.

Why this answer

SSE-C requires the customer to provide the encryption key in the request headers when uploading or accessing objects. Amazon S3 uses the provided key to encrypt data at rest and then discards the key; the customer is responsible for managing the key lifecycle. This is the only way to enforce customer-provided encryption keys at the object level.

Exam trap

The trap here is that candidates confuse SSE-C with SSE-KMS or SSE-S3, assuming that a bucket policy or default encryption alone can enforce customer-provided keys, when in fact SSE-C requires the key to be explicitly supplied in every request.

How to eliminate wrong answers

Option A is wrong because AWS KMS generates AWS-managed or customer-managed keys (SSE-KMS), not customer-provided keys (SSE-C) that are supplied per request. Option B is wrong because enabling default encryption on the bucket applies SSE-S3 or SSE-KMS automatically, not SSE-C, which requires the key to be sent with each request. Option D is wrong because a bucket policy can require SSE-C (e.g., via a condition key like s3:x-amz-server-side-encryption-customer-algorithm), but it does not enable SSE-C itself; the key must still be provided in the request headers.

1544
MCQhard

A company runs a critical application on Amazon ECS Fargate. The application uses an Application Load Balancer as the front end. Recently, the application experienced a spike in traffic, and many tasks were marked as unhealthy and replaced. The team wants to improve resilience to traffic spikes without over-provisioning. What should the team do?

A.Use a step scaling policy with a lower scale-out threshold and a larger adjustment
B.Increase the task memory allocation to improve performance
C.Increase the health check interval to reduce the number of tasks marked unhealthy
D.Use a target tracking scaling policy with a higher target value
AnswerA

Step scaling can add more tasks faster when CPU exceeds thresholds.

Why this answer

Option B is correct because step scaling policies respond more aggressively to larger deviations, helping to add capacity faster. Option A (increase memory) does not directly affect scaling. Option C (increase health check interval) would slow detection of unhealthy tasks.

Option D (use target tracking) is reactive and may not handle spikes well.

1545
MCQhard

An administrator runs the above commands and observes the outputs. The instance is in a public subnet with an internet gateway. What is the most likely issue preventing users from accessing the web server?

A.The security group allows SSH from a restricted IP, but not from the users.
B.The security group does not allow outbound traffic, so responses cannot be sent.
C.The security group allows HTTP only from the IP range 203.0.113.0/24.
D.The security group does not allow inbound HTTP traffic.
AnswerB

Egress rules are empty, blocking response traffic.

Why this answer

Option B is correct because the security group allows inbound HTTP (80) from 0.0.0.0/0, but the egress rules are empty, which means all outbound traffic is denied. The web server cannot send responses back. Option A is wrong because HTTP port 80 is open.

Option C is wrong because SSH is not required for web access. Option D is wrong because the security group allows HTTP.

1546
MCQhard

A company uses AWS CodePipeline to automate deployments of a microservices application to Amazon ECS. The pipeline builds a Docker image, pushes it to Amazon ECR, and updates the ECS service. Recently, deployments have failed because insufficient IAM permissions cause the pipeline to fail when updating the ECS service. The development team wants to implement least privilege permissions. Which IAM policy statement should be added to the CodePipeline service role to allow it to update the ECS service?

A.{"Effect":"Allow","Action":["ecs:UpdateService"],"Resource":"*"}
B.{"Effect":"Allow","Action":["ecr:PutImage"],"Resource":"*"}
C.{"Effect":"Allow","Action":["ecs:RunTask"],"Resource":"*"}
D.{"Effect":"Allow","Action":["ecs:RegisterTaskDefinition"],"Resource":"*"}
AnswerA

UpdateService is the action needed to update the ECS service.

Why this answer

Option A is correct because the CodePipeline service role needs the ecs:UpdateService permission to trigger an ECS service update after a new Docker image is pushed to Amazon ECR. This action allows the pipeline to instruct ECS to redeploy the service using the updated task definition, which is the specific step that was failing due to insufficient permissions. The resource wildcard is acceptable here because the pipeline role is scoped by the pipeline's own trust policy and resource-based policies on the ECS service.

Exam trap

The trap here is that candidates confuse the permissions needed for different stages of the pipeline (e.g., pushing to ECR or registering a task definition) with the specific permission required to update the ECS service, leading them to select options that are valid for other actions but not for the failing step.

How to eliminate wrong answers

Option B is wrong because ecr:PutImage is used to push Docker images to an ECR repository, which is typically performed by the build stage (e.g., CodeBuild) rather than the CodePipeline service role that updates the ECS service. Option C is wrong because ecs:RunTask is used to run standalone tasks, not to update an existing ECS service; updating a service requires ecs:UpdateService. Option D is wrong because ecs:RegisterTaskDefinition is used to create a new task definition revision, which is usually done by the build or deploy stage, not by the pipeline service role when updating the service itself.

1547
Multi-Selectmedium

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The application experiences high traffic during business hours and low traffic at night. The company wants to automatically scale the instances based on CPU utilization. Which TWO steps are required to achieve this?

Select 2 answers
A.Configure a scheduled scaling policy to add instances during business hours.
B.Replace the ALB with a Network Load Balancer for better performance.
C.Create a dynamic scaling policy based on the average CPU utilization metric.
D.Create an Auto Scaling group and associate it with the ALB.
E.Create a CloudWatch alarm that sends an email when CPU exceeds 80%.
AnswersC, D

Scales based on CPU.

Why this answer

Options A and C are correct. An Auto Scaling group is needed to manage the instances, and a scaling policy based on CPU utilization is needed. Option B is wrong because a scheduled scaling policy is based on time, not CPU.

Option D is wrong because a Network Load Balancer is not required. Option E is wrong because CloudWatch alarm is part of the scaling policy but not the primary requirement; the policy itself is needed.

1548
MCQeasy

A company is migrating its on-premises VMware VMs to AWS. The company wants to use the same management tools and maintain consistency. Which AWS service should be used for this migration?

A.AWS Server Migration Service (SMS)
B.AWS Snowball Edge
C.VMware Cloud on AWS
D.AWS Database Migration Service (DMS)
AnswerC

Provides consistent VMware environment on AWS.

Why this answer

Option C is correct because VMware Cloud on AWS allows running VMware workloads natively on AWS with consistent management. Option A is wrong because Server Migration Service (SMS) is for server migration but not VMware management. Option B is wrong because DMS is for databases.

Option D is wrong because Snowball is for offline data transfer.

1549
MCQhard

A company ran the command above. The management account (111111111111) has an SCP attached that denies all actions. The DevAccount (222222222222) has no SCP. What can the root user of the DevAccount do?

A.Full access to all AWS services because no SCP is applied to the DevAccount.
B.Nothing, because the management account's SCP applies to all accounts.
C.Only read-only actions because of default SCP.
D.Only actions allowed by the root user's implicit full access.
AnswerA

Without SCP, only IAM policies restrict.

Why this answer

SCPs are inherited from the root OU. Since no SCP is attached to the DevAccount or its OU, there is no restriction. Option A is wrong because management account SCP does not apply.

Option C is wrong because root user can be restricted by SCP. Option D is wrong because there is no SCP.

1550
MCQmedium

A company is designing a new solution to host a static website on AWS. The website content is stored in an Amazon S3 bucket. The company wants to use a custom domain name (e.g., www.example.com) and enforce HTTPS. Which combination of AWS services should the company use?

A.Configure the S3 bucket for static website hosting and attach a custom SSL certificate using AWS Certificate Manager.
B.Use Amazon CloudFront with an SSL certificate from AWS Certificate Manager and point the CloudFront distribution to the S3 bucket.
C.Use Amazon Route 53 with an alias record pointing to the S3 bucket and enable DNSSEC.
D.Use an Application Load Balancer in front of the S3 bucket and attach an SSL certificate from AWS Certificate Manager.
AnswerB

CloudFront provides HTTPS and works with ACM.

Why this answer

Option D is correct because Amazon CloudFront can serve content from S3, and AWS Certificate Manager (ACM) can provision an SSL/TLS certificate for the custom domain, allowing HTTPS. Option A is wrong because S3 does not support custom SSL certificates natively. Option B is wrong because ELB is not needed for static website hosting.

Option C is wrong because Route 53 does not provide HTTPS termination.

1551
MCQmedium

A company runs a stateless web application on AWS Elastic Beanstalk. The application experiences periodic spikes in traffic that cause CPU utilization to reach 90% on the EC2 instances. The company wants to automatically scale the environment based on CPU usage. They also want to ensure that the scaling is proactive and can handle sudden traffic surges. What should they do?

A.Configure a simple scaling policy based on CPU utilization with a cooldown period.
B.Configure a predictive scaling policy using AWS Auto Scaling.
C.Manually increase the instance count when traffic spikes are expected.
D.Use scheduled scaling to add instances during known peak times.
AnswerB

Predictive scaling uses historical data to forecast and proactively add capacity before spikes.

Why this answer

Option D is correct. Using a predictive scaling policy with Elastic Beanstalk allows proactive scaling based on historical patterns. Option A: Simple scaling policies react to alarms but may lag.

Option B: Scheduled scaling is for predictable patterns, not sudden surges. Option C: Manual scaling is not automated.

1552
MCQhard

A company uses AWS Organizations with a policy that denies access to services unless they are explicitly allowed. The security team wants to allow only approved services. What type of policy should they use?

A.Use an SCP with an Allow effect for approved services.
B.Use an SCP with a Deny effect for all services except approved ones.
C.Use an SCP with a Deny effect for unapproved services.
D.Use an IAM policy with a Deny effect for unapproved services.
AnswerC

SCPs can deny specific services across accounts.

Why this answer

Option D is correct because an SCP with a Deny effect for unapproved services is the standard approach. Option A is wrong because Allow lists are not natively supported by SCPs. Option B is wrong because it's the opposite.

Option C is wrong because service control policies are for Organizations.

1553
Multi-Selecthard

A company is migrating a legacy application to AWS. The application requires a relational database with high I/O and low latency. The database size is 2 TB and growing. The Solutions Architect must choose a storage solution that provides the best price-performance. Which TWO solutions meet these requirements?

Select 2 answers
A.Use Amazon Aurora with I/O-Optimized cluster configuration.
B.Use Amazon RDS with Provisioned IOPS (io2) volumes.
C.Use Amazon DynamoDB with provisioned capacity.
D.Use Amazon Redshift with dense compute nodes.
E.Use Amazon RDS with gp3 storage.
AnswersA, B

Aurora I/O-Optimized is cost-effective for high I/O.

Why this answer

Options A and C are correct: RDS with Provisioned IOPS provides consistent low latency, and Aurora with I/O-Optimized provides high I/O at lower cost for high I/O workloads. Option B is wrong because gp3 is general purpose, not best for high I/O. Option D is wrong because DynamoDB is NoSQL.

Option E is wrong because Redshift is for analytics.

1554
MCQeasy

A company is migrating a monolithic application to AWS. The application currently runs on a single on-premises server and uses a MySQL database. The company wants to minimize changes to the application code during migration. Which migration strategy should the company use?

A.Refactor the application to use microservices and Amazon RDS.
B.Rehost the application on Amazon EC2 and migrate the database to Amazon RDS.
C.Replatform the application to use AWS Elastic Beanstalk and Amazon Aurora.
D.Repurchase the application by adopting a SaaS solution.
AnswerB

Rehosting minimizes code changes.

Why this answer

Option B is correct because rehosting (lift-and-shift) involves moving applications to AWS with minimal changes, which fits the requirement to minimize code changes. Option A is wrong because refactoring requires code changes. Option C is wrong because replatforming involves some optimizations.

Option D is wrong because repurchasing replaces the application with a SaaS product.

1555
MCQhard

A multinational corporation uses AWS Organizations with hundreds of accounts. The security team requires that all Amazon S3 buckets across the organization be encrypted with a specific AWS KMS key from the security account. Which combination of controls should be implemented to enforce this requirement?

A.Create an AWS Service Catalog portfolio that restricts bucket creation to encrypted buckets only.
B.Use IAM policies in each account to deny PutBucketEncryption actions that do not specify the required KMS key.
C.Enable AWS CloudTrail and create a CloudWatch Events rule to automatically remediate non-compliant buckets.
D.Apply an SCP to deny s3:PutBucketEncryption with any key other than the required KMS key, and use AWS Config rules to detect and remediate existing non-compliant buckets.
AnswerD

SCPs enforce at the organizational level; AWS Config detects violations for remediation.

Why this answer

Option D is correct because SCPs can deny the creation of S3 buckets without encryption or with the wrong KMS key, and AWS Config rules can detect non-compliant existing buckets for remediation. Option A is wrong because IAM policies alone cannot enforce encryption at the organizational level across multiple accounts. Option B is wrong because AWS CloudTrail only logs, not enforces.

Option C is wrong because AWS Service Catalog is not designed for this purpose.

1556
MCQmedium

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) in a production AWS account. Recently, the application has experienced intermittent timeouts. The operations team notices that the CPU utilization of the instances spikes to 100% for a few minutes during the timeouts. The Auto Scaling group is configured with a target tracking scaling policy based on average CPU utilization at 70%. What should a solutions architect do to improve the application's availability and reduce timeouts?

A.Increase the ALB idle timeout to 120 seconds.
B.Add a step scaling policy to scale out by 2 instances when CPU exceeds 80% for 1 minute.
C.Enable cross-zone load balancing on the ALB.
D.Reduce the target tracking scaling threshold to 50% average CPU.
AnswerB

Step scaling can add capacity quickly in response to high CPU, reducing timeouts.

Why this answer

Option B is correct because adding a step scaling policy that triggers at 80% CPU for 1 minute provides a faster, more aggressive scale-out response than the existing target tracking policy alone. This helps preempt the CPU spikes that reach 100% and cause timeouts, improving application availability by adding capacity before performance degrades.

Exam trap

The trap here is that candidates assume reducing the target tracking threshold (Option D) is sufficient, but they overlook that target tracking cannot react quickly enough to sudden spikes, whereas a step scaling policy provides the immediate, aggressive scale-out needed to prevent 100% CPU utilization and timeouts.

How to eliminate wrong answers

Option A is wrong because increasing the ALB idle timeout to 120 seconds does not address the root cause of CPU spikes; it only keeps connections open longer, which can mask timeouts but does not prevent them. Option C is wrong because cross-zone load balancing is already enabled by default on ALBs and does not affect CPU utilization or scaling behavior. Option D is wrong because reducing the target tracking threshold to 50% average CPU would cause the Auto Scaling group to maintain a lower average utilization, but it does not provide the rapid, proactive scaling needed to handle sudden spikes that reach 100% CPU.

1557
MCQeasy

A company has a multi-account AWS environment with a centralized logging account. They want to collect VPC Flow Logs from all accounts and store them in a centralized S3 bucket in the logging account. What is the MOST scalable and cost-effective solution?

A.Configure VPC Flow Logs to deliver to an S3 bucket in each account, then enable S3 Cross-Region Replication to the central bucket in the logging account.
B.Use Amazon Kinesis Data Firehose in each account to stream logs to a central S3 bucket.
C.Create a Lambda function in each account that copies log files to the central bucket.
D.Use S3 Batch Operations to copy logs from each account to the central bucket daily.
AnswerA

S3 replication is serverless, cost-effective, and scales automatically.

Why this answer

Option B is correct because it uses S3 Cross-Region Replication to aggregate logs without additional compute, and is scalable. Option A (Lambda) adds cost and complexity. Option C (Amazon Kinesis Data Firehose) is more expensive for log aggregation than replication.

Option D (S3 batch operations) is not designed for real-time log delivery.

1558
Multi-Selecteasy

A company is migrating a legacy .NET Framework 4.7 application to AWS. The application currently uses Windows Authentication and stores session state in-process. The company wants to minimize code changes and use AWS managed services. Which TWO strategies should the company adopt?

Select 2 answers
A.Migrate the application to run on Amazon EC2 instances joined to AWS Managed Microsoft AD.
B.Rewrite the application to .NET Core and deploy on AWS Elastic Beanstalk with Amazon RDS for SQL Server.
C.Store session data in Amazon ElastiCache for Redis using the Redis Session State Provider.
D.Use Amazon Cognito with an Active Directory connector for authentication.
E.Use Amazon DynamoDB to persist session state.
AnswersA, C

AWS Managed Microsoft AD supports Windows Authentication with minimal code changes.

Why this answer

Option A is correct because AWS Managed Microsoft AD supports Windows Authentication and can integrate with EC2 or Elastic Beanstalk without code changes. Option D is correct because ElastiCache for Redis can be used as a distributed session store, replacing in-process session state with minimal code changes (using Redis Session State Provider). Option B is wrong because .NET Core is not compatible with .NET Framework 4.7 without significant rewrite.

Option C is wrong because Cognito is for external identity providers, not Windows Authentication. Option E is wrong because DynamoDB is not a drop-in replacement for in-process sessions; it requires custom code.

1559
MCQhard

A company is designing a new data lake on Amazon S3. The data is ingested from various sources and must be encrypted at rest. The company has a strict requirement to use an AWS KMS customer master key (CMK) that is stored in a different AWS account for additional security. The S3 bucket is in Account A, and the KMS key is in Account B. Which steps are necessary to enable server-side encryption with AWS KMS (SSE-KMS) for objects in the S3 bucket?

A.Enable SSE-KMS on the S3 bucket in Account A and specify the ARN of the KMS key from Account B. S3 will automatically use the key.
B.Update the KMS key policy in Account B to grant Account A access to the key. No changes needed in Account A.
C.Update the KMS key policy in Account B to grant Account A access to the key, and update the S3 bucket policy in Account A to allow the kms:Encrypt and kms:Decrypt actions for the key.
D.Update the S3 bucket policy in Account A to allow s3:PutObject with the kms:Encrypt permission. No changes needed in Account B.
AnswerC

Both policies are required for cross-account SSE-KMS.

Why this answer

Option D is correct because cross-account KMS access requires both a key policy in Account B granting Account A permission to use the key, and an S3 bucket policy in Account A that allows the necessary actions and specifies the KMS key. Option A is wrong because the KMS key policy must allow Account A to use the key, but the S3 bucket policy also needs to be updated. Option B is wrong because the KMS key policy must explicitly grant access to Account A.

Option C is wrong because S3 does not automatically use the KMS key; the bucket policy must specify the key.

1560
Matchingmedium

Match each AWS security service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect web applications from common exploits

Enhanced DDoS protection for critical workloads

Create and manage encryption keys

Rotate and manage secrets securely

Manage user identities and permissions

Why these pairings

Security services address different aspects of threat protection and access control.

1561
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Users report intermittent slowdowns. CloudWatch metrics show high CPU utilization on the instances. The company wants to improve performance with minimal architectural changes. What should a solutions architect do?

A.Use Amazon ElastiCache to offload database queries.
B.Configure an Auto Scaling group with a dynamic scaling policy based on CPU utilization.
C.Replace the EC2 instances with a larger instance type.
D.Enable Amazon CloudFront in front of the ALB to cache content.
AnswerB

Auto Scaling adds instances during high demand, distributing load and reducing CPU per instance.

Why this answer

Option C is correct because Auto Scaling with a dynamic scaling policy based on CPU utilization automatically adjusts capacity to handle load spikes. Option A is wrong because vertical scaling (larger instances) has an upper limit and may cause downtime during resizing. Option B is wrong because CloudFront caches content but doesn't reduce CPU load from dynamic requests.

Option D is wrong because ElastiCache adds a caching layer but may not address CPU bottlenecks from compute-intensive operations.

1562
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate. The application needs to output logs to CloudWatch Logs. Which configuration should be used to send logs from the container to CloudWatch?

A.Use the awslogs log driver in the task definition and specify the log group.
B.Install and configure the CloudWatch agent in the container image.
C.Output logs to stdout/stderr and use a Lambda function to push them.
D.Configure a sidecar container running the CloudWatch agent.
AnswerA

The awslogs log driver is the native integration for ECS and Fargate to send logs to CloudWatch.

Why this answer

The awslogs log driver is the native, built-in mechanism for Amazon ECS tasks using the Fargate launch type to send container logs directly to CloudWatch Logs. By specifying the 'awslogs' log driver in the task definition and providing the log group name, ECS automatically streams stdout and stderr from the container to the specified CloudWatch log group without requiring any additional agents or infrastructure.

Exam trap

The trap here is that candidates often over-engineer the solution by thinking a separate agent or sidecar is required for log shipping, when in fact the awslogs log driver is the simplest and most efficient native integration for ECS with Fargate.

How to eliminate wrong answers

Option B is wrong because installing the CloudWatch agent inside the container image is unnecessary and adds complexity; the awslogs log driver handles log shipping natively at the container runtime level. Option C is wrong because using a Lambda function to push logs from stdout/stderr is an overly complex, non-standard approach that introduces latency and potential data loss, whereas the awslogs driver streams logs in real time. Option D is wrong because a sidecar container running the CloudWatch agent is redundant and consumes additional resources; the awslogs log driver is the recommended and simpler method for Fargate tasks.

1563
MCQeasy

A company has a multi-account AWS environment with a central networking account that hosts all VPCs and a shared services account that hosts common resources like directory services. The company wants to allow all accounts to use the same VPC for their workloads instead of creating separate VPCs. The security team requires that traffic between accounts is encrypted in transit and that accounts cannot directly access each other's resources without going through the central networking account. The network team proposes using AWS Transit Gateway with inter-region peering and VPC attachments. However, the security team is concerned about compliance with encryption requirements. What should the network team do to meet the requirements?

A.Use AWS Client VPN to connect each account to the central VPC.
B.Use VPC Peering between the central VPC and each member account VPC.
C.Use AWS Direct Connect between accounts.
D.Use AWS Transit Gateway with VPN attachments between the central networking account and each member account VPC.
AnswerD

Provides IPsec encryption and centralized routing.

Why this answer

Option D is correct because AWS Transit Gateway with VPN attachments enables encrypted traffic between the central networking account and each member account VPC using IPsec tunnels. This satisfies the encryption-in-transit requirement while ensuring all traffic routes through the central networking account, preventing direct account-to-account access. Transit Gateway also allows all accounts to share a single VPC for workloads without creating separate VPCs.

Exam trap

The trap here is that candidates may assume VPC Peering or Direct Connect inherently meet encryption requirements, but VPC Peering does not encrypt traffic and Direct Connect requires an additional VPN layer for encryption, while Transit Gateway VPN attachments provide both encryption and centralized routing control.

How to eliminate wrong answers

Option A is wrong because AWS Client VPN provides encrypted client-to-VPN access but is designed for individual user connections, not for routing traffic between VPCs or accounts, and it does not enforce that all inter-account traffic must go through the central networking account. Option B is wrong because VPC Peering does not natively encrypt traffic in transit; it relies on AWS's physical network security but does not meet explicit encryption requirements, and it allows direct peering relationships that could bypass the central networking account. Option C is wrong because AWS Direct Connect provides a dedicated private connection from on-premises to AWS, not between accounts, and it does not inherently encrypt traffic unless combined with IPsec VPN, which is not specified in the option.

1564
MCQhard

Refer to the exhibit. A security engineer ran this AWS CLI command to investigate who created a CloudTrail trail in January 2024. The command returned no results. However, the security team knows that a trail was created during that period. What is the most likely reason for the empty result?

A.The start time is too far in the past and CloudTrail only retains events for 90 days.
B.The trail was created using the AWS Management Console, not the CLI.
C.The trail was created in a different region and the command did not specify a region.
D.The command syntax is incorrect; the --lookup-attributes parameter should be --attribute.
AnswerC

By default, the CLI uses the current region; the trail might be in another region.

Why this answer

The AWS CLI command `aws cloudtrail lookup-events` defaults to the region configured in the AWS CLI profile (e.g., `us-east-1`). If the CloudTrail trail was created in a different region, the command will return no results unless the `--region` parameter is explicitly specified. Since the security team knows the trail was created in January 2024, the most likely reason for the empty result is that the command did not target the correct region.

Exam trap

The trap here is that candidates assume CloudTrail events are globally visible by default, but `lookup-events` is region-scoped unless the trail is a multi-region trail, and even then, the command must be run in the home region of the trail to see the creation event.

How to eliminate wrong answers

Option A is wrong because CloudTrail `lookup-events` can retrieve events for up to 90 days, but the command can also access events beyond that if the trail is configured to send events to CloudWatch Logs or S3, and the `--lookup-attributes` parameter does not impose a 90-day limit on the API itself. Option B is wrong because the method of creation (Console vs. CLI) does not affect the ability of `lookup-events` to retrieve the event; CloudTrail records all management events regardless of the interface used.

Option D is wrong because the `--lookup-attributes` parameter is the correct syntax for the `lookup-events` command; there is no `--attribute` parameter in the AWS CLI for CloudTrail.

1565
MCQhard

A company is designing a multi-region disaster recovery solution for a critical application using Amazon RDS for MySQL. They need a Recovery Point Objective (RPO) of less than 5 seconds and a Recovery Time Objective (RTO) of less than 1 minute. Which solution should they choose?

A.Use Amazon RDS with cross-Region read replicas and promote the replica to a primary instance in a disaster.
B.Use Amazon Aurora Global Database.
C.Use Amazon RDS with automated backups and restore in another Region.
D.Use Amazon RDS Multi-AZ with a standby in a different AWS Region.
AnswerA

Cross-Region read replicas use asynchronous replication with minimal lag, and can be promoted quickly, meeting the RPO/RTO requirements.

Why this answer

Amazon RDS Multi-AZ with a standby replica in a different region is not supported. However, cross-region read replicas can be promoted to a standalone instance in a disaster. For low RPO/RTO, using a cross-region read replica with automatic failover via Route 53 can achieve near-real-time replication and fast failover.

1566
Multi-Selecthard

A company is migrating a multi-tier e-commerce application to AWS. The application consists of a web tier, an application tier, and a MySQL database tier. The company wants to improve scalability and availability while reducing administrative overhead. Which THREE actions should the solutions architect take? (Select THREE.)

Select 3 answers
A.Migrate the MySQL database to Amazon RDS Multi-AZ
B.Use Amazon ElastiCache to cache session data
C.Use Amazon EFS for shared storage between web instances
D.Configure an Application Load Balancer and Auto Scaling group for the web tier
E.Use Spot Instances for all EC2 instances to reduce costs
AnswersA, B, D

Correct: Reduces overhead and provides high availability.

Why this answer

Using an ALB and Auto Scaling for web tier improves scalability and availability. Migrating to RDS Multi-AZ reduces overhead and provides high availability. ElastiCache for session caching improves performance, but is not the only option for scalability.

EFS is for shared file storage, not needed. Using Spot Instances for all tiers may cause interruptions.

1567
Multi-Selectmedium

A company is building a new application that requires a relational database with high availability across multiple Availability Zones. The database must automatically failover with minimal downtime. Which two AWS services or features meet these requirements?

Select 2 answers
A.Amazon Aurora DB cluster with multiple Availability Zones
B.Amazon RDS Multi-AZ deployment
C.Amazon RDS Single-AZ deployment with automated backups
D.Amazon DynamoDB with global tables
E.Amazon RDS Read Replica
AnswersA, B

Aurora automatically fails over to a replica in another AZ.

Why this answer

Amazon RDS Multi-AZ deployment provides synchronous replication and automatic failover across AZs. Option A and D are correct. Option B is wrong because read replicas are for read scaling, not automatic failover.

Option C is wrong because single AZ is not highly available. Option E is wrong because DynamoDB is NoSQL, not relational.

1568
MCQhard

A company has a data lake in AWS using S3 and Glue. The security team requires that all data in the data lake be encrypted at rest using a customer-managed KMS key. However, some users are able to upload data without encryption. What is the most effective way to enforce encryption?

A.Apply an S3 bucket policy that denies s3:PutObject unless encryption headers are present
B.Use AWS Config rules to remediate non-compliant objects
C.Require users to use pre-signed URLs for uploads
D.Attach an SCP that denies s3:PutObject without encryption
AnswerA

Bucket policies can enforce encryption at upload time.

Why this answer

Option A is correct because an S3 bucket policy with a condition that denies s3:PutObject unless the x-amz-server-side-encryption header is present and specifies the required KMS key enforces encryption at the point of upload. This prevents any unencrypted object from being written to the bucket, regardless of the client or tool used, and works with any IAM principal. It is the most effective and direct method to enforce encryption for all uploads.

Exam trap

The trap here is that candidates often choose AWS Config (Option B) thinking it can enforce encryption, but Config is detective and reactive, not preventive, whereas a bucket policy with a deny condition is the only way to block unencrypted uploads at the API level.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are reactive, not preventive; they can detect non-compliant objects after upload and trigger remediation (e.g., copying the object with encryption), but they do not block the initial unencrypted write, leaving a window where data is stored without encryption. Option C is wrong because pre-signed URLs control access duration and permissions but do not enforce encryption headers; a pre-signed URL for s3:PutObject can be used to upload unencrypted data unless the bucket policy explicitly denies such requests. Option D is wrong because Service Control Policies (SCPs) apply to all IAM principals in an AWS Organizations account but cannot enforce object-level encryption headers; SCPs can deny actions based on conditions, but the condition for encryption headers (e.g., s3:x-amz-server-side-encryption) is not supported in SCPs, making this option ineffective.

1569
Multi-Selecthard

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

Select 2 answers
A.Create an SCP that denies the ec2:RunInstances action for specific instance types.
B.Use AWS Config rules to detect non-compliant instance types and automatically terminate them using AWS Systems Manager Automation.
C.Use AWS CloudTrail to monitor launches of prohibited instance types and automatically terminate them.
D.Use Service Quotas to restrict the number of instances of specific types.
E.Create an IAM policy in each account that denies the specified instance types.
AnswersA, B

SCPs can deny actions based on condition keys like ec2:InstanceType.

Why this answer

Option A is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict permissions across all accounts in the organization. By creating an SCP that denies the ec2:RunInstances action with a condition key like ec2:InstanceType matching specific prohibited instance types, you can enforce this restriction at the organization, OU, or account level, preventing any user or role from launching those instance types regardless of their IAM permissions.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config, CloudTrail) with preventive controls (SCPs), or they assume IAM policies can be centrally managed across accounts, when in fact SCPs are the only native mechanism for organization-wide preventive restrictions.

1570
MCQeasy

A company is designing a microservices architecture on Amazon ECS with AWS Fargate. The services need to communicate with each other using HTTP APIs. The company wants to minimize operational overhead and enable canary deployments. Which solution should the company use for service discovery and traffic routing?

A.Use Amazon API Gateway with VPC Link
B.Use an Application Load Balancer with target groups per service
C.Use Amazon Route 53 with weighted routing policies
D.Use AWS App Mesh with Envoy sidecars
AnswerD

App Mesh provides traffic splitting and observability for canary deployments.

Why this answer

AWS App Mesh with Envoy sidecars provides a service mesh that handles service discovery, traffic routing, and canary deployments at the application layer. It integrates natively with ECS Fargate, offloading operational overhead by managing traffic splitting, retries, and observability without modifying application code. This makes it ideal for microservices requiring fine-grained control over HTTP traffic routing.

Exam trap

The trap here is that candidates often confuse DNS-based routing (Route 53) or load balancer-level routing (ALB) with the application-layer traffic management needed for canary deployments, overlooking that only a service mesh like App Mesh provides the granular, proxy-based control required for HTTP traffic splitting without operational overhead.

How to eliminate wrong answers

Option A is wrong because Amazon API Gateway with VPC Link is designed for external API management and routing to private VPC resources, not for internal service-to-service communication within a microservices architecture, and it adds unnecessary latency and complexity for internal calls. Option B is wrong because an Application Load Balancer with target groups per service can route traffic but does not natively support canary deployments with weighted traffic splitting across service versions; it requires external tooling or custom scripting for gradual rollouts. Option C is wrong because Amazon Route 53 with weighted routing policies operates at the DNS level, which cannot handle HTTP-level traffic routing, session affinity, or fine-grained canary percentages, and DNS caching can cause uneven traffic distribution during deployments.

1571
MCQmedium

A company's AWS CloudTrail logs are stored in an S3 bucket. A Solutions Architect needs to analyze the logs to identify API calls that created or modified IAM roles in the last 30 days. What is the MOST efficient way to perform this analysis?

A.Use Amazon CloudWatch Logs Insights to query the logs.
B.Use Amazon Athena to run SQL queries on the logs.
C.Use an AWS Lambda function to process the logs and export to Amazon Redshift.
D.Use S3 Select to filter the records.
AnswerB

Athena can directly query CloudTrail logs in S3 using SQL, making it efficient for this analysis.

Why this answer

Option C is correct because Amazon Athena can query CloudTrail logs stored in S3 using SQL, allowing efficient analysis without moving data. Option A is wrong because CloudWatch Logs Insights is for CloudWatch Logs, not S3. Option B is wrong because S3 Select can filter objects but is not designed for complex queries across multiple objects.

Option D is wrong because exporting to a different account is unnecessary and adds complexity.

1572
MCQmedium

A company runs a stateful application on EC2 instances in an Auto Scaling group behind a Network Load Balancer (NLB). The application requires that client sessions are maintained to the same instance. The operations team notices that after scaling events, some clients lose their sessions. Which configuration change should the team implement to ensure session persistence?

A.Disable cross-zone load balancing on the NLB.
B.Enable cookie-based stickiness on the NLB listener.
C.Switch to an Application Load Balancer and enable cookie-based stickiness.
D.Enable source IP stickiness on the NLB target group.
AnswerD

NLB target groups support source IP stickiness for stateful applications.

Why this answer

Option B is correct because NLB supports target group stickiness based on the source IP address, which is the appropriate method for stateful applications. Option A is wrong because ALB is not used with NLB. Option C is wrong because the NLB itself does not support cookie-based stickiness; that is an ALB feature.

Option D is wrong because disabling cross-zone load balancing does not ensure stickiness.

1573
MCQmedium

A company uses AWS Organizations and has a member account that needs to access a shared S3 bucket in another member account. The bucket policy allows access from the account's root user. What is the simplest way to grant an IAM user in the member account access?

A.Create an IAM role in the source account and have the user assume it.
B.Update the bucket policy to allow the user's ARN directly.
C.Attach an IAM policy to the user that allows s3:GetObject on the bucket.
D.Use a bucket ACL to grant access to the user's canonical ID.
AnswerC

Since the bucket policy trusts the account, the user just needs IAM permissions.

Why this answer

Option C is correct because the simplest way to grant an IAM user in a member account access to a shared S3 bucket in another member account is to attach an IAM policy to the user that allows the required S3 action (e.g., s3:GetObject) on the bucket. Since the bucket policy already allows access from the account's root user, the IAM user inherits permissions through the account's identity-based policies, and no cross-account role assumption or bucket policy update is needed.

Exam trap

The trap here is that candidates often overcomplicate cross-account access by assuming a role or modifying the bucket policy, when the simplest solution is to use an IAM policy on the user because the bucket policy already authorizes the account's root user.

How to eliminate wrong answers

Option A is wrong because creating an IAM role in the source account and having the user assume it introduces unnecessary complexity; the bucket policy already allows the account's root user, so a simple IAM policy on the user suffices. Option B is wrong because updating the bucket policy to allow the user's ARN directly is not the simplest approach and would require modifying the bucket policy, which is more complex than attaching an IAM policy to the user. Option D is wrong because bucket ACLs are legacy and do not support granting access to IAM users directly; they only grant access to AWS accounts or canonical IDs, not individual IAM users.

1574
MCQmedium

A company applies the above IAM policy to an S3 bucket. An IAM user attempts to upload an object without specifying encryption. Will the upload succeed?

A.Yes, because the user can override the policy with s3:PutObjectAcl.
B.Yes, because the bucket has default encryption enabled.
C.No, because the user needs additional permissions.
D.No, because the policy denies the request.
AnswerD

The policy explicitly denies PutObject without AES256 encryption.

Why this answer

Option B is correct because the policy denies PutObject if encryption is not AES256. Since no encryption header is specified, the condition matches (StringNotEquals is true because the header is absent), so the request is denied. Option A is wrong because even though bucket default encryption might apply, the policy evaluation happens before the default encryption is applied.

Options C and D are incorrect.

1575
MCQmedium

A company has multiple AWS accounts managed using AWS Organizations. The security team wants to enforce that all new accounts automatically have a specific AWS Config rule enabled to prohibit public S3 bucket access. Which solution requires the least operational overhead?

A.Use AWS CloudFormation StackSets to deploy the AWS Config rule to all accounts.
B.Enable AWS Config in the management account and use an aggregator for all accounts.
C.Use an SCP to automatically enable the AWS Config rule in all accounts.
D.Use an SCP to deny the s3:PutBucketPublicAccessBlock action if a specific tag is not present.
AnswerD

SCPs can deny actions based on conditions, but this option is not ideal; the correct approach is to use an SCP with a condition to require the public access block. However, the best answer is to use an SCP to prevent disabling the AWS Config rule.

Why this answer

Option D is correct because it uses a service control policy (SCP) to deny the s3:PutBucketPublicAccessBlock action unless a specific tag is present. This enforces the desired AWS Config rule indirectly by preventing any action that would disable or bypass the public access block, and it applies automatically to all new accounts in the organization with minimal overhead—no per-account deployment or configuration is needed.

Exam trap

The trap here is that candidates assume SCPs can directly create or enable AWS resources like Config rules, but SCPs only control API actions and cannot perform resource creation or configuration.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets require manual setup and ongoing maintenance to deploy to new accounts as they are added, which adds operational overhead compared to a policy-based approach. Option B is wrong because enabling AWS Config in the management account and using an aggregator only centralizes compliance data; it does not enforce the Config rule in new accounts automatically. Option C is wrong because SCPs cannot directly enable AWS Config rules; they can only deny or allow API actions, not create or configure AWS resources.

Page 20

Page 21 of 24

Page 22